1.1. Alice runs a Set-UID program that is owned by Bob. The program tries to read from /tmp/x, which is readable to Alice, but not to anybody else. Can this program successfully read from the file?
此时有效id 是bob 不能读取成功
1.2. A process tries to open a file for read. The process’s effective user ID is 1000, and real user ID is 2000. The file is readable to user ID 2000, but not to user ID 1000. Can this process successfully open the file?
不能
1.3. A root-owned Set-UID program allows a normal user to gain the root privilege while executing the program. What prevents the user from doing bad things using the privilege?
进程的行为是被严格限制的,它只能执行程序中指定的操作,而不能执行其他操作
1.4. We are trying to turn a program prog owned by the seed user into a Set-UID program that is owned by root. Can running the following commands achieve the goal?
$ sudo chmod 4755 prog
$ sudo chown root prog
不能 chown命令会自动清空Set-UID比特
1.5. The chown command automatically disables the Set-UID bit, when it changes the owner of a Set-UID program. Please explain why it does that.
使程序成为Set UID程序的决定是由程序的所有者做出的。由于chown转换了所有权,现在新所有者的工作就是决定程序是否总是以他的权限运行。
1.6. When we debug a program, we can change the program’s internal variables during the execution. This can change a program’s behavior. Can we use this technique to debug a Set-UID program and change its behavior? For example, if the program is supposed to open the /tmp/xyz file, we can modify the filename string, so the Set-UID program
ends up opening /etc/passwd.
不可以。调试Set UID程序需要以root身份运行调试器。否则,任何人都可以在/bin/su程序上运行调试器,并以root权限运行所有程序。
1.7. Both system() and execve() can be used to execute external programs. Why is system() unsafe while execve() is safe?
system 内容由用户输入 ;后跟恶意命令 ,恶意命令也会执行
execve 当成整个字符串处理
1.8. When a program takes an input from users, we can redirect the input device, so the program can take the input from a file. For example, we can use prog < myfile to provide the data from myfile as input to the prog program. Now, if prog is a
root-owned Set-UID program, can we use the following method to to get this privileged program to read from the /etc/shadow file?
$ prog < /etc/shadow
不可以。因为普通用户不能访问/etc/shadow,所以他/她不能用它重定向输入设备。尝试执行此操作将导致权限被拒绝错误
1.9. When a parent Set-UID process (effective user ID is root, and the real user ID is bob) creates a child process using fork(), the standard input, output, and error devices of the parent will be inherited by the child. If the child process drops its root privilege, it still retains the access right to these devices. This seems to be a capability leaking, similar to the capability-leaking case covered in this chapter. Can this pose any danger?
没有危险。虽然parent Set UID进程以root权限运行,但父Set UID进程的父用户ID为bob。这是因为Bob最初是从shell或类似程序执行父Set UID程序的。因此,父Set UID程序的标准输入、输出和错误设备是从shell继承的,然后子进程再次继承shell。由于子进程和父进程具有相同的特权,因此不存在功能泄漏。
1.10. The superuser wants to give Alice a permission to view all the files in the system using the more command. He does the following:
$ cp /bin/more /tmp/mymore
$ sudo chown root /tmp/mymore
$ sudo chmod 4700 /tmp/mymore
Basically, the above commands turns /tmp/mymore into a Set-UID program. Right now, because the permission is set to 4700, other users cannot execute the program. The superuser uses another command (now shown) to grant the execution permission only to Alice. We are not assuming that Alice is completely trusted. It is OK if Alice can only read other people’s files, but it is not OK if Alice can gain any privilege beyond that, such as writing to other people’s files. Please read the manual of the more program and find out what Alice can do to gain more privilege.
使用more 查看文件时 V 调用vi编辑器 可以使用v命令使用编辑器查看文件。如果more以root用户身份运行,那么编辑器也将以root用户身份打开,从而提供对系统上所有文件的无限制访问。
1.11. Assume that you have a file that you would allow other users to read, only if a user’s ID is smaller than 1000. Please describe how you can actually achieve this.
创建一个包含所有id小于1000的用户的新组
1.12. Sam found a very useful web page, which contains links to many interesting papers. He wants to download those papers. Instead of clicking on each of the links, he wrote a program that parses a HTML web page, get the papers URLs from the web page, and then use a program called wget to fetch each identified URL. The following is the code snippet:
char command[100];
char* line, url;
line = getNextLine(file);// Read in one line from the HTML file.
while (line != NULL) {
// Parse the line to get a URL string.
url = parseURL (line);
if (url != NULL){
// construct a command, and execute it
sprintf(command, "%s %s", "wget", url);
system(command);
}
line = GetNextLine(file);
}
The function sprintf() is quite similar to printf(), except that sprintf() puts the output in a buffer pointed by the first argument, while printf() sends the output to the display. Please be noted that the functions getNextLine() and parseURL() are also implemented by Sam (their code is not displayed here). The program wget is a command-line program in Unix that can be used to download web files from a given URL.
The owner of the web page knows what Sam is doing with his page; he wants to attack Sams program. He knows the code above, but he does not know how Sam implements GetNextLine() or ParseURL(), but he suspects that Sam may make some mistakes there. (1) If you are the attacker, please describe how you plan to attack. (2) How do you fix the problem?
构造一个url 尾部带入参数 ; xxxx 执行恶意命令